Methods of accessing and providing access to a remote resource from a data processing device

ABSTRACT

A method of accessing a remote resource ( 4 ) from a data processing device ( 2 ) includes obtaining a first URL corresponding to the remote resource ( 4 ), obtaining secret data corresponding to the first URL, using the secret data to generate an obscured URL at the data processing device ( 2 ), and accessing the remote resource using the obscured URL. This allows the user of the device ( 2 ) to see a first URL which is intelligible and provides useful information about the device, without sharing that information with the network. The obscured URL identifies the actual location of the remote resource and can be an unintelligible stream of digits or letters.

CROSS-REFERENCE TO RELATED APPLICATIONS

The present application is a National Phase entry of PCT Application No.PCT/GB2015/051410, filed on May 13, 2015, which claims priority to GBPatent Application No. 1409853.7, filed on Jun. 3, 2014, which arehereby fully incorporated herein by reference.

The present technique relates to the field of data processing. Moreparticularly, the technique relates to accessing, or providing accessto, a remote resource from a data processing device.

Cloud computing services are becoming more common. More and more devicesare being connected to the cloud, for example as part of the “Internetof Things”. For example, relatively small devices such as temperaturesensors, healthcare monitors and electronic door locks can be connectedto the cloud so that they can be accessed and controlled using remotesystems. For example, the door may be remotely opened from a remoteplatform, or data from a temperature sensor or healthcare monitor may beaggregated at a remote location and accessed from another device. Hence,there is an increasing amount of data being collected by cloud platformsand their providers.

However, there is also an increasing distrust of giving large companiessuch as the cloud provider data about an individual and the individual'sdevices. Currently, when data is provided to a cloud service then thereis little protection for the user's personal information. Nevertheless,cloud services are useful and so it is still desired to be able tointeract with other devices securely over the cloud. The presenttechnique seeks to provide a more secure method of accessing remoteresources from a data processing device.

Viewed from one aspect, the present technique provides a method ofaccessing a remote resource from a data processing device, the methodcomprising:

obtaining a first uniform resource locator (URL) corresponding to theremote resource;

obtaining secret data corresponding to the first URL;

generating an obscured URL at the data processing device using thesecret data corresponding to the first URL, wherein the obscured URL isfor obtaining the actual location of the remote resource; and

accessing the remote resource using the obscured URL.

The present technique recognizes that it is not just the data stored atremote resources that may contain personal or sensitive information. TheURL (uniform resource locator) from which the resource is accessed mayitself give away information. For example, a user may have a devicewhose URL includes information about the type, make, model, function orlocation of the device, or information about the user who owns thedevice. Similarly, a website may have a URL which may containinformation describing or hinting at the interests or details of theperson running the website. This means that often the informationincluded in the URL of the remote resource may be as interesting tocloud providers or “big data” aggregators as the actual data of theremote resource. In current cloud platforms, the URL of the remoteresource is open to all and visible to the cloud infrastructure (e.g.through requests sent to a server) and so potentially may lead to lossof private or sensitive information. To maintain privacy, it is possibleto use a URL which does not give any meaningful information, such as arandom string of characters, but this makes it harder for the resourceto be accessed by both the person managing the resource and other users,since a random string of characters is difficult to remember.

The method of the present technique obtains a first URL corresponding tothe remote resource and secret data associated with the first URL. Thefirst URL may be an intuitive URL with descriptive data about what thedata at the remote resource means. The first URL may be obtained invarious ways, such as by the user of the device typing a URL, byclicking a link from an email or other website, or by the deviceaccessing a previously stored URL or a URL permanently embedded in thedevice. Using the secret data, the data processing device then generatesan obscured URL for obtaining the actual location of the remoteresource. The obscured URL is then used to access the remote resource.

Hence, the actual location of the remote resource is identified by theobscured URL, which may be any random string of characters (e.g.http://domain/a18b828f829e9 . . . ) which does not give away anypersonal information about the user or the user's devices. From thepoint of view of the cloud infrastructure, servers, and cloud providingor “big data” aggregating companies, the remote resource may beidentified solely by the obscured URL, so that the URL does not giveaway sensitive information. Nevertheless, the first URL may be used bythe data processing device to identify the remote resource. The firstURL may be a more natural looking URL (e.g.http://domain/health/alicesmith/bloodpressure/ . . . ) which has astructure which allows authorized users of the remote resource tointuitively understand what the data at a particular URL represents andhow the URL relates to other URLs, for example. The secret data allowsthe first URL to be mapped to the corresponding obscured URL at the dataprocessing device so that the first URL need not be known to the networkinfrastructure.

The remote resource may correspond to any data or device accessedremotely by the data processing device. For example, the remote resourcemay comprise a data processing device or embedded system which can becontrolled remotely from another platform; a remote computer, contentaggregator, server or cloud platform which receives data posted by thedata processing device; or a website or server accessed from the dataprocessing device. The access to the remote resource may include writingdata to the remote resource, reading data from the remote resource,and/or instructing a device associated with the remote resource to carryout an action, for example.

Data at the remote resource may be encrypted. For example, any data sentfrom the data processing device to the remote resource may be encryptedusing an encryption key included with the secret data for the first URL.This means that both the URL identifying the remote resource and thedata at the remote resource are obscured so that the networkinfrastructure or cloud operators have no visibility of any sensitiveinformation associated with the resource. If the obscured URL isgenerated using a secret key, then the same key may be used forencrypting the data and generating the obscured URL, or different keysmay be provided for generating the obscured URL and encrypted datarespectively. Keys for encryption may be maintained locally at thedevice or obtained from another location.

In general, the first URL may be visible to a user of the dataprocessing device. That is, the first URL may be the URL used by theuser to identify the remote resource. However, the first URL does notnecessarily need to be displayed on the data processing device itself.For example, a temperature sensor within a home heating system may beconnected to the cloud so that temperature data can be posted to aremote resource identified by the obscured URL, but may not have adisplay on which the user can see the first URL. The user may havevisibility of the first URL through a separate device such as a localheating controller within the user's home which communicates with thetemperature sensor via wireless signals for example.

In many cases, the first URL may not identify any actual location of aremote resource on the network. Hence, if a device which cannot generatethe obscured URL (e.g. it does not have the secret data for the firstURL) tries to access the first URL, then the access will fail. Forexample, an http 404 error message may arise because the resourceidentified by the first URL cannot be found. By not providing any reallocation on the network corresponding to the first URL, security can bemaintained.

It is also possible for the first URL to identify a real networklocation, but which corresponds to a different remote resource to theone accessed using the obscured URL, or to the same remote resource asthe obscured URL. For example, different versions of content may beprovided depending on whether the user has the secret key allowing theobscured URL to be generated. Also, in some cases the remote resourcecorresponding to the first URL may already be online identified by thefirst URL. For example, a legacy website designed without the use of thepresent technique may already have a URL containing intuitiveinformation. If the legacy resource was suddenly moved to the locationof the obscured URL to improve privacy/security, then the resourcemanager may lose users or customers who cannot find the old resourceanymore. Therefore, it may be useful for the transition to the presenttechnique to be made more gradually. At first, the legacy resource atthe first URL may operate in parallel with the more secure resource atthe obscured URL, so that the first URL will for a period correspond toa real network location. Once enough users/devices have been providedwith the secret data which allows them to locate the obscured URL, thelegacy resource can then be taken offline, at which point the first URLwill no longer point to a real location.

It is desirable that the generation of the obscured URL from the secretdata is such that the first URL cannot be obtained from the obscured URLusing the secret data. That is, the secret data may contain enoughinformation to allow the data processing device to generate the obscuredURL corresponding to the first URL, but not enough information for aparty to obtain the first URL from the obscured URL.

In some cases, the obscured URL may be generated by transforming thefirst URL into the obscured URL using the secret data. For example, thesecret data may include a secret key and the obscured URL can begenerated by encrypting the first URL using the key. For example, aone-way transformation, such as md5 or one of the SHA (Secure HashAlgorithm) family of transformations, may be used to hash the first URLbased on a secret string contained in the secret data. Even if someonehas the obscured URL and the secret string, it is not possible for themto determine the first URL used to generate the obscured URL.

It is also possible to generate the obscured URL based on informationincluded in the secret data. The generation of the obscured URL may beindependent of the particular character values of the first URL, i.e.the obscured URL is not a transformation of the first URL, but may bebased solely on information included in the secret data. In this case,an attempt to access the first URL may trigger the obscured URL to begenerated, but the first URL itself is not an input for the obscured URLgeneration. For example, the secret data could include the obscured URLitself, so that no transformation is required. Alternatively, the secretdata could include one or more secret strings or values which can betransformed into the obscured URL. Either way, even if someone has theobscured URL and the secret data, this does not provide any informationabout the first URL.

Also, in some cases the secret data may be part of the first URL itself(e.g. a code or string of characters within the first URL), and theobscured URL may be generated by applying a hash or other transformationto the first URL. Also, the secret data may be data defining a hashalgorithm to be applied to the first URL to generate the obscured URL.The secret data may be held locally by the device or may be obtainedfrom a website or other remote resource.

Different data processing devices may be allocated different secret datacorresponding to the same first URL. Therefore, when the differentdevices access the same first URL, this is mapped to different obscuredURLs using the different secret data, so that different remote resourcesare accessed by the respective devices. This is very useful for allowingdifferent content, or different representations of the same content, tobe provided to different users or groups of users. Each user or groupmay use the same first URL and so may not be aware that they are given adifferent view of content to other users. The different obscured URLsmay correspond to entirely different resources, or to different parts orsubsets of a common remote resource. For example, it may be desirable togive some groups of users access to the entire resource, while othergroups of users can only see selected sections of resource. Also, someusers may be able to see high resolution data (e.g. full-size images ortime series data sampled often) with other users seeing lower resolutiondata (e.g. compressed images or time series data sampled lessfrequently).

The obscured URL may identify the actual location of the remote resourceto be accessed. Hence, once the obscured URL has been generated, thedata processing device can simply access the location identified by theobscured URL.

However, if different versions of resource need to be made accessible todifferent users or groups of users, this approach may not be efficientas the resource manager may need to maintain multiple copies of data atdifferent URLs, increasing the overhead associated with updating ormaintaining the resource.

Therefore, it can be more efficient for the obscured URL to identify thelocation of a key node resource including data for obtaining a resourceURL identifying the remote resource itself. Hence, the secret data mapsthe first URL to a corresponding obscured URL, which is used to accessthe key node resource. The key node resource then gives further dataredirecting the device to the resource URL of the remote resource. Thedata at the key node resource may include the resource URL itself, datafor calculating the resource URL, or data identifying another remotelocation from which the resource URL may be obtained, for example.Hence, if different representations of the resource are required fordifferent users, each user can be provided with a different key noderesource, but the different key nodes may direct the user to a commonresource URL so that it is not necessary to maintain multiple versionsof the remote resource itself. As for the obscured URL, the resource URLmay also be a non-intelligible URL which does not contain sensitiveinformation.

The key node resource may include information for decrypting data at theremote resource.

The key node resources can also simplify revocation of access toresources by users or groups of users. If the obscured URL directlyidentifies the remote resource, revoking a user's access may require theremote resource to be moved to a new location and new secret dataprovided to other users who need to continue accessing the resource toallow those users to generate the new obscured URL. This is a relativelycomplex operation.

A more efficient approach may be to provide key node resourcesidentified by the obscured URLs generated using the different secretdata for each user. To revoke access to a user or an entire group ofusers, the key node resource for that user or group of users is simplyremoved. This means that if the revoked user or a user of the revokedgroup attempts to access the remote resource, the obscured URL generatedwith the corresponding secret data will no longer map to a real locationand so the access will fail preventing the real URL of the resourcebeing accessed. This avoids the need to relocate the resource itself orto redistribute new secrets to authorized users.

The key node resources also simplify revocation of access to a resourcefor a selected user within a group while maintaining access to theresource for the rest of the group. This can be done by generating newgroup secret data for the selected group of users, providing access tothe new secret data to the users of the group other than the selecteduser, creating a new key node resource identified by a new obscured URLgenerated using the new group secret data, the new key node resourcecomprising data for obtaining the resource URL of the remote resource,and making inaccessible the key node resource previously correspondingto the selected group of users. This means that the selected user whodoes not have the new secret data will not successfully reach a key noderesource which allows access to a remote resource.

The secret data may be stored locally at the data processing device, orobtained from another location. The secret data may be referred to belowas the “site secret” or “secret”.

The same secret may be used for accessing more than one remote resource(e.g. a party may provide a single secret for accessing all URLsmaintained by that party). Hence, when a device encounters a new URL, anew secret may also be supplied, but this is not essential since thedevice may already be in possession of a secret suitable for use withthat URL.

The data processing device may be able to access multiple secretscorresponding to the same resource. For example, there may be differenttypes of access permitted for different classes of user, and a singleuser may belong to several overlapping classes. For example a user mayhave a personal secret as well as a group secret corresponding to agroup of users of which the user is a member and/or a generic secretwhich can be used by anyone. Multiple secrets may be stored locally atthe data processing device.

An expansion URL can be provided to the data processing device (forexample as part of the secret data for the first URL) identifying alocation from which further secret data can be obtained. Using theexpansion URL simplifies the distribution of group secrets, allowingsecrets to be changed without having to directly contact each member ofthe group for example.

The data processing device can then attempt accesses to differentobscured URLs generated with each of the secrets. In some cases the dataprocessing device may try accessing one obscured URL, and if that doesnot succeed, try another obscured URL generated using a differentsecret, and continue trying until an access is successful or all of thesecrets have been tried. For example, the secrets may have apredetermined secret hierarchy setting an order in which the dataprocessing device should attempt to access the obscured URLs. Forexample, a personal secret may take precedence, followed by at least onegroup secret and then a generic secret. Alternatively, to improveperformance the data processing device may attempt accesses to severaldevices simultaneously on the expectation that some accesses may fail(this may be faster than trying each in sequence). A similar hierarchyof secrets may determine which secret should be prioritized if multipleaccesses are successful.

In some cases the secret key provided to the data processing device mayhave associated conditions for determining whether access to the remoteresource may be granted using the secret data. For example, a secretscope may be defined identifying a domain, sub-domain, folder, orspecified part of a site or collection of resources, for which thesecret applies. In this case, accesses using the secret may fail if theyare not within the scope parameter. The resource accessed using aparticular secret may correspond to only part of an overall website orcollection of resources, and other secrets may be required for otherparts of the remote resource. Another example of an access conditionincluded in the secret data may be a time constraint, so that the remoteresource may only be accessed successfully within a specified timewindow or period.

Data stored at the remote resource or transactions sent to the resourcemay be cached at network nodes between the data processing device andthe remote resource. For example, write transactions for writing data tothe resource may be cached as they travel up the network. Since both thedata and the URL of the remote resource can be made anonymous using thepresent technique, then this removes any risk of loss of privacy whenthe data is held by third parties. This frees up options for caching thedata or transactions for the remote resource in multiple places, whichcan be very useful for performance or reliability reasons. For example,even if the remote resource itself is not available (e.g. a device mayoperate in a power-saving state most of the time and may only wake upperiodically), its data may be read from a cache or proxy so that it isnot necessary to wait for the resource to become available again. Also,if the data from the resource is available in multiple places then onaccessing it the data can be obtained from the location with the lowestexpected transaction cost (which may be determined based on time orenergy for example). Similarly, when transactions are sent for theremote resource, and there are multiple communication channels availablefor a transaction then the channel with the lowest associated cost canbe selected (e.g. one of Bluetooth, WiFi, 3G or wired connections may beselected).

Data and transactions may also be proxied at boundaries betweendifferent protocols (e.g. HTTP and COAP) or different communicationmediums (e.g. Bluetooth and WiFi). If the data processing device and thedevice associated with the remote resource communicate using differentprotocols or mediums, a translating proxy (e.g. a router) may bridge thegap between them without loss of security/privacy.

The data processing device itself, or an intermediate network nodebetween the data processing device and the remote resource, may have atransaction queue for queuing transactions to be sent to a deviceassociated with the remote resource. The device associated with a remoteresource may in some cases be the device providing the remote resourceitself or may be another device which controls the remote resource. Thedevice associated with the remote resource may pull the transactionsfrom the transaction queue when it is ready to process the transactions.The transactions in the transaction queue may be encrypted to maintainsecurity. The transaction queue is useful because it allows the dataprocessing device and the device associated with the remote resource tocommunicate asynchronously. Even if the data processing device anddevice associated with the remote resource are not simultaneously in anactive state, the data processing device can post transactions to thequeue and the device associated with the remote resource can pull thetransaction from the queue when it next wakes up.

Some devices may function both as a data processing device for accessinga remote resource and a device associated with a remote resource to beaccessed by another device.

When instructing a specified operation to be performed using the remoteresource, the data processing device may have to prove its identity, sothat unauthorized devices cannot control the remote resource ininappropriate ways. Therefore, the data processing device may have, orbe able to obtain, authentication information for verifying that thedata processing has the right to instruct the specified operation to beperformed using the remote resource. The authentication information mayfor example include a certificate and/or a public key associated withthe data processing device which verifies the identity of the devicesending the transaction.

When receiving a transaction the device associated with the remoteresource can then check the authentication information and verifywhether the specified operation is allowed to be performed.

The authentication information may specify validity informationspecifying when the authentication information is valid (e.g. theauthentication information's validity may expire at the end of a giventime period). Also, the authentication information may define permissioninformation specifying which operations are allowed to be instructed bythe data processing device. This allows different access rights to begranted for different operations using the resource. For example, adevice may be allowed to read data but not write.

In some cases the authentication information may be obtained by thedevice associated with the resource from an authentication URL specifiedin the transaction sent from the data processing device. Hence, the dataprocessing device need not provide the authentication informationitself, but may specify a location from which the authenticationinformation can be maintained. For example, the authentication URL maybelong to a certificate issuing authority.

This approach makes it easier for relatively small data processingdevices to control the remote resource, since it is not necessary forthe data processing device to transmit certificates or otherauthentication information.

In some cases the authentication URL may be a URL identifying the dataprocessing device itself, or may identify a different location.

The authentication URL may have a fingerprint portion which is generatedusing at least part of the authentication information held by the dataprocessing device. This means that a device issuing a transaction forthe remote resource can only succeed if it already has access to theauthentication information, otherwise it will not be able to direct thedevice associated with the remote resource to the correct authenticationURL for the authentication information. For example, the fingerprint maybe a hash of part of the certificate of the authentication information,or a value encrypted using the public key. The fingerprint providesassurance that the correct version of the authentication information hasbeen provided and has not been modified since it was authored. Forexample, if a party's website domain gets transferred to someone else,they cannot post a valid new version of“https://my-site/certs/geraint/12b274a” because the fingerprint will notmatch.

In some cases, there may be a chain of authentication informationrequired to verify that a device is authorized to control the remoteresource. For example, one certifying authority may certify anotherauthority to issue certificates, and so parties authorized by the secondauthority may need to cite the certificates issued by both certificateauthorities in order to be verified. In this case, the authenticationURL fingerprint may be derived from each piece of authenticationinformation in the chain, to ensure that only someone having all thelinks of the chain can be authenticated for controlling the resource.

The device associated with the remote resource may obtain theauthentication information from the authentication URL via a differentcommunication channel to the communication channel used to transmit thetransaction. For instance, the data processing device may issue atransaction to a door device (acting as remote resource) by submitting atransaction over one channel (e.g. Bluetooth). The data processingdevice may cite the authentication URL in the transaction (e.g.https://abc.xyz.com/ufO7ZxhqJRwpI) so that the door device can obtainthe authentication credentials. However, obtaining these credentialsover Bluetooth from the device to the door in this way may beinefficient, slow or otherwise undesirable, so instead the door may usessome other unrelated route (e.g. house router, or a wired connection) tofetch the credentials.

The authentication information of the data processing device may becached by at least one network node. The device associated with theremote resource can use the cached authentication information to verifythat the data processing device has the right to instruct the specifiedoperation to be performed using the remote resource. This allowsauthentication credentials to be obtained more quickly than if theyalways had to be sourced from the authentication URL. The node whichcaches the authentication information may belong to a different party tothe party operating the authentication URL and the user of the dataprocessing device.

The authentication information may separately define validityinformation specifying a time period when the authentication informationis valid and cacheability information specifying a time period when theauthentication information can be cached in the network. Thecacheability information may specify a shorter period for caching thanthe period set in the validity information. This means that cachedcopies of the authentication information are discarded periodicallywhile the authentication information remains valid, so that theauthentication credentials will then need to be resourced from theoriginal authentication URL. Access to a particular user can then berevoked easily by removing the authentication credentials for that userfrom the authentication URL. In contrast, if no limit on cached copieswas set, then to revoke the right to control the remote resource one mayneed to set a shorter validity period, so that there is more managementoverhead in generating new authentication information and making thisavailable to authorized users more frequently. Hence, the cacheabilityinformation helps to make management of authentication information moreefficient.

Similarly, separate validity and cacheability information may also bedefined for other cached resources. For example, a long lived piece ofdata, such as a device address, may also benefit from separatecacheability and validity periods to allow for revocation of access morefrequently than new versions of the data are generated.

The periods specified by the validity information and the cacheabilityinformation may be any specified time or usage conditions. For example,the periods may be specified in seconds, minutes, hours, days, weeks,months, years, etc. The periods may have defined start and endtimes/dates/years or may only have an expiry time/date. The periods mayalso include non-continuous periods such as “every Monday until acertain date”. Also, the periods may be based on the number of times theauthentication information is used, rather than a time period (forexample, valid for 100 accesses, cached copies discarded after 10accesses).

The present technique may be implemented using at least one computerprogram executed by at least one device which controls the at least onedevice to perform the method as discussed above. The at least oneprogram may be stored on at least one computer readable storage medium,which may be for example a non-transitory storage medium.

Viewed from another aspect, the present technique provides a dataprocessing device comprising:

processing circuitry configured to perform data processing; and

communication circuitry configured to access a remote resource;

wherein the processing circuitry is configured to:

(a) obtain a first uniform resource locator (URL) corresponding to theremote resource and obtain secret data corresponding to the first URL;(b) generate an obscured URL using the secret data corresponding to thefirst URL, wherein the obscured URL is for obtaining the actual locationof the remote resource; and(c) control the communication circuitry to access the remote resourceusing the obscured URL.

Viewed from a further aspect, the present technique provides a dataprocessing device comprising:

processing means for performing data processing; and

communication means for accessing a remote resource;

wherein the processing means is configured to:

(a) obtain a first uniform resource locator (URL) corresponding to theremote resource and obtain secret data corresponding to the first URL;(b) generate an obscured URL using the secret data corresponding to thefirst URL, wherein the obscured URL is for obtaining the actual locationof the remote resource; and(c) control the communication means to access the remote resource usingthe obscured URL.

Viewed from a further aspect, the present technique provides a method ofproviding a data processing device with access to a remote resourcewhose actual location is identified by a resource uniform resourcelocator (URL), the method comprising:

generating secret data corresponding to a user of the data processingdevice;

generating an obscured URL using the secret data corresponding to theuser;

storing data for obtaining the resource URL to a location identified bythe obscured URL; and

providing the data processing device with (i) a first URL foridentifying the remote resource to the user and (ii) the secret data forobtaining the obscured URL.

In a corresponding manner to the technique discussed above, a contentauthor or party managing a remote resource may provide access to theresource for another user by generating secret data and obscured URL forthe user, establishing a key node resource at the obscured URL to allowthe user to obtain data for obtaining the actual resource URL, andprovide the user's device with the first URL which the user can use torefer to the resource and the secret data for obtaining the obscuredURL. By providing different users with different secret data anddifferent obscured URLs, this allows the content author to provide userspecific representations of content for each user.

Viewed from another aspect, the present technique provides a dataprocessing device comprising:

processing circuitry configured to perform data processing; and

communication circuitry configured to access remote locations;

wherein the processing circuitry is configured to:

(a) generate secret data corresponding to a user of a data processingdevice to be provided with access to a remote resource whose actuallocation is identified by a resource uniform resource locator (URL);(b) generate an obscured URL using the secret data corresponding to theuser; and(c) control the communication circuitry to store data for obtaining theresource URL to a location identified by the obscured URL, and toprovide the data processing device with (i) a first URL for identifyingthe remote resource to the user and (ii) the secret data for obtainingthe obscured URL.

Viewed from a further aspect, the present technique provides a dataprocessing device comprising:

processing means for performing data processing; and

communication means for accessing remote locations;

wherein the processing means is configured to:

(a) generate secret data corresponding to a user of a data processingdevice to be provided with access to a remote resource whose actuallocation is identified by a resource uniform resource locator (URL);(b) generate an obscured URL using the secret data corresponding to theuser; and(c) control the communication means to store data for obtaining theresource URL to a location identified by the obscured URL, and toprovide the data processing device with (i) a first URL for identifyingthe remote resource to the user and (ii) the secret data for obtainingthe obscured URL.

Further aspects and features of the present technique will be apparentfrom the following examples which are to be read in conjunction withaccompanying drawings.

FIG. 1 illustrates an example of a data processing device accessing aremote resource;

FIG. 2 illustrates an example of a site secret for the remote resource;

FIG. 3 illustrates an example of accessing the resource at an obscuredURL generated using the site secret;

FIG. 4 illustrates a method of accessing a remote resource;

FIG. 5 shows an example where the obscured URL identifies a key noderesource which contains data for providing the URL of the remoteresource;

FIG. 6 illustrates a method of providing a data processing device withaccess to a remote resource;

FIG. 7 illustrates an example of using an expansion URL to obtaindifferent site secrets for accessing the resource;

FIG. 8 shows an example of revoking a user's membership of a groupallowed to access a remote resource;

FIG. 9 shows an example of providing different site secrets foraccessing different resources corresponding to parts of the same site orcollection of resources;

FIGS. 10A to 10D illustrate a method of transitioning a legacy resourceto a more secure resource using obscured URLs;

FIG. 11 shows an example of a network in which data and transactions forremote locations may be cached at nodes of the network;

FIG. 12 shows an example of obtaining authentication information forverifying that a device is authorized to instruct an action to beperformed at the remote resource.

FIG. 1 illustrates an example of a data processing device 2 accessing aremote resource 4 in the cloud when the present technique is notapplied. For example, the data processing device 2 may be a health caremonitor which monitors various parameters related to the user's health,such as heart rate, blood sugar level, temperature, etc. The monitoreddata is provided to a cloud service, such as a platform provided by ahealthcare provider which can analyze the user's health data and flaghealth problems detected using the data. The data is posted to a remotelocation identified by a URL (e.g. /data/health/summaries). However, theURLs used by devices and users often contain intuitive informationidentifying the user, their device 2, or the purpose of the data, sothat the URL can easily be remembered or understood by the user of thedevice 2. Therefore, the URL may often contain sensitive or personalinformation, such as the user's name or location, the device's make,model, type, or location, or information about the meaning of the dataprovided by the device. Therefore, the cloud provider, an internetinfrastructure operator or other parties may be able to derive personalinformation from the URL even if the data stored at the URL isencrypted. There is an increasing distrust in allowing companies toaccess such information.

To address this issue, the data processing device may be provided withsecret information as shown in FIG. 2. This secret information iscollectively referred to as a “site secret”. The site secret is providedfor a particular URL (“first URL”) and for a particular user or device.The user/device can use the first URL to identify the remote resource.However, the first URL does not identify the actual location of theremote resource. The site secret is for mapping the first URL to adifferent obscured URL which is used to find the actual location of theremote resource. In this way, there is no need for network operators orcloud providers to see an intuitive URL, as only the obscured URL needsto be exposed to the network. Nevertheless, the user can still use anice intuitive URL to make interaction with the resource moreconvenient.

As shown in FIG. 2, the site secret includes a scope which specifies theremote resources to which the site secret applies. In this example, thescope portion indicates the paths or subpaths of the resources to whichthe site secret applies. In this example, the site secret applies to thepath “/data”. Implicitly, the site secret may also apply to all subpathsof the path indicated in the scope. Hence, accesses to resources notwithin the specified path (including subpaths) may not succeed. In otherexamples, the scope may specify further conditions which must be met inorder for an access to be successful (e.g. time based or use basedconditions).

The site secret also includes URL encoding information which specifieshow to generate the obscured URL of the resource. In this example, theURL encoding information includes a secret string to be used as a keyfor transforming the first URL into the obscured URL, data defining atransformation to use for generating an encoded string for the obscuredURL (e.g. SHA256 in this example) and a template URL into which theencoded string can be inserted to form the obscured URL. SHA256 is aone-way transformation which means that even if the secret string (key)is known, it is not possible to use the key to transform the obscuredURL back into the first URL. Other transformations may also be used(e.g. md5, other SHA algorithms, CRC32). In this example, the templateis “/data/{hex:22}”, which means that a 22-character truncated stringgenerated based on the SHA256 algorithm is inserted into the template tocreate the obscured URL. The string to be inserted into the template maybe a truncated version of the actual result of the transformation (it isnot essential to use all bits of the encoded string in the URL). Inother examples the full string generated by the hash algorithm may beused. The site secret also includes content encoding informationdefining how to encode document content or transactions to be sent tothe remote resource. Another secret string may be used as a key forencoding the content, e.g. using the AES192 algorithm as shown in FIG.2.

Hence, as shown in FIG. 3, instead of posting content in the clear tothe first URL, the healthcare device 2 may post encrypted content to anobscured URL, so that both the content and the URL corresponds to anunintelligible string of characters which does not give away anysensitive information.

FIG. 4 illustrates a method of accessing a remote resource from a dataprocessing device 2. At step 10, a first URL corresponding to the remoteresource is obtained by the data processing device 2. The first URL maybe obtained, for example, by the user typing in a URL into a browser,the user clicking a link in an email or website, reading a pre-storedURL, or accessing a fixed URL permanently embedded into the device atmanufacture, or in any other way. At step 12, the site secretcorresponding to the first URL is obtained, and used to generate anobscured URL. At step 14, the remote resource is accessed using theobscured URL. Hence, this approach allows devices to serve data and beaccessed remotely without giving away information in the URL of thedevice.

The data processing device 2 may be any processing device which needs toaccess a remote resource. The present technique is particularly usefulfor small scale devices such as sensors, controllers or wireless nodesin the cloud. In some cases, the data associated with the remoteresource may be served from the resource itself such as a temperaturesensor, or healthcare device. In this case the device itself may beidentified by the obscured URL. Alternatively, such resources may begiven a cloud address for high availability which is then accessed froma separate server corresponding to the resource device.

For privacy, it is preferable that the first URL does not correspond toany real location within the cloud. This means that the first URL iscompletely invisible to network operators and cloud providers. However,in some cases the first URL may also map to a real location on thenetwork, for example when converting a legacy site to a new site asdiscussed below with respect to FIGS. 10A to 10D. Also, in some casesthe first URL may identify a location with different content to theremote resource identified using the obscured URL.

FIGS. 2 and 3 show an example in which the obscured URL is generated bytransforming the first URL using a transformation algorithm such asSHA256. However, it is also possible to generate the obscured URL inother ways. For example, rather than providing a separate site secretincluding a key for scrambling the URL, the secret data may instead beincluded in the first URL, with different users provided with differentsecret data. For example, a first URLhttp://meriac.com/pips/this/is/my/tv?secret=4567 may include secret data4567 for a particular user or group of users. The device 2 may hash thisURL using a predetermined algorithm (e.g. CRC32 or SHA256) to generate asecret string “9677BE35” so that the obscured URL becomeshttp://meriac.com/pips/9677BE35. In general, the secret data may be anydata which provides information for generating the obscured URL whichshould be accessed instead of the first URL.

In some cases, a third party plugin or website-frame work may be used togenerate the obscured URL. For example, a Party A may create a pluginthat hashes URLs into node IDs (obscured URLs). The plugin does notunderstand the concept of having a URL secret, but can decrypt andverify URL file payloads. Another Party B may provide a Website-Framework that contains a java-script-include on each page that takes apre-defined URL-parameter (let's call it “secret”) and rewritesdynamically URLs of subsequent page requests of images and other contentlinked on the page. Another Party C (e.g. a content author) publishes alink to http://C.com/site.html?secret=xyz to a user D and a linkhttp://C.com/site.html?secret=abc to a user E (plus individual keys K(D)and K(E)), and authors user-specific key nodes (see below) for theindividually personalized URLs. Hence, in this example the secret datafor each user is included in the first URL itself.

The user D of the end device 2 then visits site C, and the plugin Aperforms secret-less hashing of http://C.com/site.html?secret=xyz intohttp://C.com/45c2d52c8b514a01. The plugin A performs decryption offetched content from this URL using K(D). The user's browser executesthe embedded JavaScript framework in site C, which rewrites all URLs inthe page by appending the secret=xyz parameter. Pages or resourcesfetched by the browser are then intercepted by the browser plugin A andhashed without additional secrets. For user E, the process may besimilar to user D, but with a different entry link.

It is possible to provide site secrets which can be used for multipledifferent remote resources. For example, a particular party may providea site secret which can be used by a user to access resources from arange of locations managed by that party. Hence, one secret may cover awhole range of URLs, and when encountering a new URL, the dataprocessing device may already be in possession of a secret suitable foruse with that URL and so may not need to acquire a new site secret.

The obscured URL may be obtained by the device 2 in different ways. Forexample, the generation of the obscured URL may be implemented usingembedded functionality within the device, using code which is part of abrowser or other software executed by the device 2, or using a browserplugin, applet or javascript obtained from a third party.

It is possible for the obscured URL generated using the first URL toidentify the location of the remote resource itself. However, it may bedesirable to provide different users with different versions of contentor access to different resources. To maintain security and the abilityto individually control the access to different users, it can be usefulto provide each user with a different site secret mapping to a differentobscured URL. However, if each obscured URL actually contained theremote resource itself, it would be difficult and time consuming tomaintain many different copies of the same remote resource for each userat different URLs.

FIG. 5 shows how different representations of the same resource can bemanaged more efficiently using key node resources. As shown in FIG. 5,the obscured (encrypted) URL generated using the site secret for a givendevice may identify the location of a key node resource K0-K2 which doesnot store the actual remote resource. Each key node resource K0-K2contains data for obtaining the actual resource URL of the remoteresource. This means that different users can be provided with access todifferent parts of the remote resource by specifying different resourceURLs at the key nodes (or by specifying the same resource URL but withdifferent pieces of associated information identifying which parts ofthe URL are accessible). For example, in FIG. 5 the users of devices D1and D2 access key nodes K1 and K2 respectively to obtain resource URL 1(e.g. http://abc.com/data/18659458.php) which gives them access to theentire remote resource. However, a user of device D0 obtains resourceURL 0 from key node K0 (e.g. http://abc.com/data/58159873.php) whichonly allows them to access a subset of the remote resource. Hence, thedifferent resource URLs provided by each key node may correspond tooverlapping parts or subsets of the remote resource. In other examplesthe resource URLs provided by different key nodes may correspond todifferent remote resources entirely.

This approach allows different representations of the data to beprovided to different users. For example, the different representationsprovided for the remote resource may provide different types of content,different content quality (e.g. full images or compressed images),different granularity of access to content (e.g. time series datasampled at hourly increments or daily increments), or different subsetsof data available to users. Each user may use the same first URL, and somay not be aware that other users have different access to data or thatthere are multiple representations of data being provided by the remoteresource. The access to the different forms of the resource iscontrolled by providing different site secrets for each user, whichcause the first URL to be mapped to different obscured URLs.

The key nodes K0-K2 may also store data for decrypting content at theresource URL. This means that only authorized users who havesuccessfully located a key node for the resource can obtain thedecryption key for decrypting the content.

The use of key nodes K0 to K2 as shown in FIG. 5 is also useful sincedifferent users can be granted and/or revoked access to the remoteresource by simply manipulating the key node resources without modifyingthe remote resource in any way.

For example, FIG. 6 shows a method of providing a user of a dataprocessing device 2 with access to the remote resource. The method canbe performed by a data processing apparatus for a content author orparty managing the remote resource. At step 20, a new site secret isgenerated for the user to be granted access to the remote resource. Atstep 22, the user's secret is used to generate the obscured URL for thatuser (the obscured URL may be generated in the same way as at step 12 ofFIG. 4). At step 24, a key node resource is established at the obscuredURL, including data for obtaining the resource URL of the remoteresource. At step 26, the first URL which the user will use to identifythe resource, and the site secret corresponding to the first URL, areprovided to the user's data processing device. The user's device canthen access the remote resource using the method of FIG. 4 via the keynode resource as shown in FIG. 5.

Access to the remote resource by a particular user can be revoked byremoving the key node resource at the URL generated using the sitesecret for that user. For example, see device D3 of FIG. 5 which has itsaccess revoked by removing the corresponding key node resource. When thekey node resource is removed, the user of the device can no longeraccess the remote resource since there is no way for them to obtain theresource URL. Hence, there is no need to move the actual resource when auser's access is revoked. For added security the resource could also bemoved, in case a user has managed to obtain and store the resource URL.

A user may have access to different site secrets for the same remoteresource. For example, a user may have a personal site secret but mayalso have access to a group site secret associated with a group of usersor a generic site secret which is available to everybody. The expansionURL shown in FIG. 2 may be used to obtain additional site secrets. Asshown in FIG. 7, a number of site secrets 28 may be stored at theexpansion URL. The data processing device D0 may obtain the site secretsfrom the expansion URL, in addition to the initial site secret held bythe device D0. The device D0 then attempts to access one or moreobscured URLs generated using the different site secrets until an accessis successful. For example, the device D0 may try each obscured URL inturn. In the example of FIG. 7 the device first tries the obscured URLgenerated using the personal secret, then tries obscured URLs for twodifferent group secrets, before finding that the obscured URL generatedusing the generic secret successfully locates a real location KN on thenetwork from which the resource URL can be obtained. The device D0 mayalso try multiple accesses in parallel in case one fails, to speed upthe access. If multiple accesses are successful, there may be apredetermined priority order which determines which access to follow upon. This approach is useful because it means that group secrets do notneed to be held permanently by end devices D0, and instead can becontrolled more carefully from the expansion URL.

FIG. 8 shows an example of a revoking access to a remote resource for aselected user within a group previously allowed to access the resource.As shown in the left hand part of FIG. 8, the expansion URL includes agroup secret G0 for a group of users of devices D0-D2. The group secretG0 is used to generate an obscured URL G0 of a key node KG0 from whichthe resource URL of the shared resource can be obtained. This allows thedevices D0-D2 to interact with the resource.

However, the user of device D2 then leaves the group and so D2's accessto the remote resource is to be revoked. For example, the resource G maybe a device for controlling a door lock and the user of device D2 mayhave left the organization who owns the door, and needs to be preventedfrom entering. To achieve this, a new site secret G1 is generated at theexpansion URL for a new group G1 of users D0, D1 which excludes therevoked user D2. Hence, when the devices D0, D1 access the expansion URLthey obtain both secrets G0, G1 while device D2 only obtains secret G0.A new key node KG1 is created at the obscured URL corresponding to thenew site secret G1. The key node KG1 again has the resource URLidentifying the resource. The original key node for this group KG0 isthen removed so that any access to the URL obtained using secret key G0will fail. Hence, when devices D0 or D1 access the first URL, the secretG1 successfully maps to the obscured URL of key node KG1 and so they canstill access the door to unlock it. However, device D2 only has secretG0 which no longer maps to a real location, and so cannot locate theresource anymore. Hence, this mechanism using key nodes and theexpansion URLs provides an efficient way for controlling access toresources without having to republish the resource itself.

As shown in FIG. 9, it is possible to provide different site secretscorresponding to different resources within a same site or samecollection of resources. For example, users may generally be allowed toaccess the style sheets (CSS files) of a website, but individual accessrights may be controlled for the data of the website. The scopeparameter shown in FIG. 2 may be used to select the parts to which thesecret applies. Hence, a first generic secret X can be provided withscope “/styles” for accessing the style sheets for the website.Individual secrets may then be provided for scope “/data” which alloweach device D0-D2 to individually access different subsets of the data.The scope “/styles” for secret X means that this secret cannot be usedto gain access to the “/data” portion of the website.

As mentioned above, the first URL (intuitive URL) may not correspond toany real location within the network to prevent cloud operators gainingaccess to sensitive information. However, legacy sites and devices mayalready be published on the cloud using such an intelligible URL. Inthis case, the legacy site may be transitioned to a more secure siteusing the present technique as shown in FIGS. 10A to 10D. In FIG. 10A,the legacy site is shown with intelligible file paths and file names. InFIG. 10B, a new site is created in which the data from the legacy siteis replicated at non-intelligible resource URLs (indicated by thequestion marks in FIG. 10B). Also, key node resources K are establishedfor users of the website. The key node resources K have obscured URLsgenerated using the site secret for the user or group or user, andcontain data identifying the corresponding resource URL. For a time, thelegacy site and the new site can run in parallel, so at this time thefirst URL for the new site may still map to a real location on thenetwork corresponding to the legacy site. Once enough users have accessto the new site, the legacy site may be deactivated, leaving only theprivate site whose URLs are unintelligible. As shown in FIG. 10D, theserver's view of the website is then completely anonymous since all URLsused for the site are obscured URLs.

As shown in FIG. 11, the data processing device 2 may correspond tovarious devices such as a laptop or other computer D2, mobile phone D3,server D5, temperature sensor D4, health monitor D1 or door control unitD0 for example. Similarly, the remote resources may correspond tosimilar devices D0-D5. As indicated in FIG. 11, some devices D0, D2, D4,D5 may function both as a remote resource 4 to be accessed by otherdevices and as a data processing device 2 for accessing remoteresources. The devices communicate with each other via the Internet(cloud), using various intermediate network nodes such as networkrouters and ISP (internet service provider) devices and networks. Itwill be appreciated that the network diagram in FIG. 11 is schematic andthat there are many different ways of implementing the network.

Since the URLs of remote resources are anonymous using the presenttechnique, and also the transactions and data exchanged by devices maybe encrypted, then there is no danger of leakage of information to thenetwork. This allows intermediate network nodes, such as a router or ISPnetwork device, to have a cache 30 for caching data or transactionsexchanged with a remote location, without any security or privacy risk.For example, when the health monitor device D1 uploads data to theserver D5 then the posted data can be cached as it passes up thenetwork.

By caching the data at different points within the network, this meansthat if the data needs to be accessed by the device D1 then it can beobtained more quickly from a cache 30 in the home router or the ISPnetwork than if it had to go all the way back to the server D5.Similarly, transactions for triggering devices to perform actions may bestored in a queue 40 within the device D5 initiating the transaction, orwithin another network node. For example, if the user of the laptop D2or phone D3 wishes to open the door associated with device D0 (e.g. tolet a friend or neighbor into their house), then the laptop of phone mayissue a transaction to the door device D0 to open the door. However, thedoor device D0 may not be active at this time, e.g. it may be in a powersaving mode and may only wake up periodically to check the queue 40 fortransactions. When the door device next wakes up, it can poll the queue40 and then open the door. The transactions in the queue 40 may beencrypted. By providing a queue 40 in the end device D5 or intermediatenode of the network, the phone or laptop D2, D3 and the door D0 cancommunicate asynchronously so that it is not necessary for both devicesto be active simultaneously in order for them to communicate.

In order to read or write data from a remote resource or perform anaction using the remote resource, it may be necessary for the deviceissuing the transaction to prove its identity and verify that it isallowed to take this action. Hence, as shown in FIG. 12 when the device2 issues a transaction for a device 4 associated with the remoteresource, the device 2 may specify an authentication URL identifying alocation 50 from which the device 4 associated with the remote resourcecan obtain authentication data for the device 2. For example, theauthentication information may include certificates and public keyswhich verify the device's identity. In some cases there may be a chainof certificates where different parties authenticate differentsub-parties to provide further authentication and so the identity of theend device 2 may need to be verified using several certificates. It isalso possible for the device 2 to provide the authentication informationdirectly to the resource 4 as part of the transaction. However,especially if the device 2 is a relatively small device such as asensor, then it may be more convenient for the authenticationinformation to be obtained from the authentication URL 50. Whenobtaining the authentication information from the authentication URL,the remote device 4 need not obtain the authentication information usingthe same communication channel or route that was used to send thetransaction from the device 2. For example, when opening a door bysubmitting a transaction over Bluetooth, the door may use a differentroute (e.g. using a house router or wired connection) to fetchcredentials from the authentication URL.

The authentication URL provided with the transaction may include afingerprint portion 60 which is generated using the authenticationinformation for the device 2. For example, the fingerprint portion 60may be a hash of part of the certificate or public key of theauthentication information. This means that to be able to direct theresource device 4 to access the authentication information from theauthentication URL, the device 2 sending the transaction must itselfhave access to the authentication information. This improves thesecurity of the system by reducing the chance that an unauthorizeddevice could somehow direct the resource device 4 to a validauthentication URL with valid authentication information.

The authentication information may be cached at various locations withinthe network to make it quicker to access the authentication informationfrom a local network node. The authentication information may definewhich particular actions can validly be carried out by the remoteresource when instructed by the device 2. The authentication informationmay also specify validity information indicating a period of validityfor the authentication information (e.g. an expiry date/time, a periodwith a start data/time and end date/time, or a non-continuous period).It can be useful for the authentication information to separately definea period within which the authentication information is valid and aperiod within which the authentication can cached by network nodes. Evenif the authentication information is valid for a relatively long period,the cacheability period may be set to a shorter period. For example, aparticular certificate may be valid for six months so that theauthenticator does not need to update the certificates very often.However, by only caching the certificate for a shorter period (e.g. oneday), access to a given remote resource can be revoked more quicklysince cached copies of the authentication information will be discardedat the end of the day and then the certificate would need to be obtainedagain from its original source in order to continue access, allowingaccess to be controlled more easily.

A summary of some features of the present technique, known as “PiPS”(Privacy in Plain Sight), is provided below.

Goals:

A PiPS-enabled web service may:

Maintain privacy—users control who accesses their data (including cloudservices)

Provide personalized information for different people/groups

Minimize workload for low-power devices, moving it to cloud-servicesinstead

Enable cacheing, lowering network requirements and improving performance

Support asynchronous operations, to work with limited-connectivitydevices

Support time-series data

Principles:

Publish from the device, serve from the cloud

-   -   A device might make some resources/data available, but might        only wake up and connect to the wider web occasionally.    -   In this case, having a cloud service (including “mini-clouds”        such as local routers) host or mirror the data means high        availability, while still allowing devices to be lower-power.

Safely use untrusted data-stores/mirrors/caches

-   -   With PiPS, you have control over who understands your data,        regardless of where it is stored. Data is stored encrypted, at        obfuscated URLs—only devices and people who have permission to        read the data will be able to understand it.    -   This means that you don't have to trust every data-store, mirror        or cacheing proxy that sees your data. You can allow anybody to        proxy/cache your data (for high availability) without privacy        concerns.

Asynchronous communications across untrusted intermediaries

-   -   With PiPS, interaction with devices is asynchronous. Actions        intended for the device can be queued up in proxies or cloud        services, waiting for when the device is next online.    -   These actions are also stored encrypted, meaning that        device-to-device communication can be private (even if both        devices are only occasionally online), without exposing the        communications to a central service.

Broad-Strokes Design:

Surrogate URLs and encrypted content

-   -   Resources have nice friendly URLs (“conceptual URLs”), so        published content and interactions can be organized in a nice        way.    -   However, the URL that is actually requested from the server is        different: an opaque URL that does not reveal the nature of the        information to the server, proxies, caches, etc.    -   All content is stored in encrypted form, so only the end-devices        can understand it.

Perform actions using Queues

-   -   A PiPS Queue is a list of pending actions/notifications. To        perform an action, you POST it to a Queue. The target device        then pulls actions off the Queue to execute them.    -   Queues can be monitored in different ways—so a highly-connected        device can maintain an open connection to the cloud to get        instant notifications, a less-connected device could poll once a        minute, etc.    -   If an action requires a response, then a “response Queue” can be        included, to which the results of the action can be sent.

Time-series data in Queues

-   -   A Queue can be “turned around”—instead of many people adding        actions to a queue and one device reading it, you can have one        device publishing events to a queue, and many people reading it.    -   The methods for monitoring queues remain the same (polling,        notifications, WebSockets, etc.). Since the content is        encrypted, Queues can be proxied/cached—so the original Queue        might only support polling, but proxies can layer WebSockets on        top of that.    -   This means that a device can publish a set of events (using a        simple POST), and delegate the complex queries (e.g. “all events        since . . . ”) to cloud services, proxies, et cetera.

Site secrets and personalized content

-   -   A “site secret” is the information required to translate a        resource's “conceptual URL” into a surrogate URL, and to decrypt        the content.    -   Different people are provided with different secrets—so they        will end up at different surrogate URLs, so they can be provided        with different versions of the content.

General Principles:

Not trusting cloud providers

-   -   Don't leak data, structure, anything

Static resources (mirrorable/proxy/offline cache)

-   -   Devices can publish as many as they like    -   Supply custom content for some people

Actions submitted to queues

-   -   Authentication by certificate chain

Fits into existing web

Not trusting cloud providers: There's an increasing distrust of givinglarge companies data about yourself. Our current protection (mutable,rarely-read terms of service) is basically just trusting a company tobehave well. However, cloud services are useful, especially for deviceswith lower network availability, so we still want them.Data control: How about we never give the cloud provider usable data inthe first place? Encrypt everything, Uninformative URLs. This also givesus no fear of mirrors/proxies.

Comparison:

The data itself

-   -   Bad: plaintext data readable by anyone (inc. cloud)    -   Good: opaque blobs

Requests made to server

-   -   Bad: https://cloud.iot/my-house/bedroom/marital-aids/ . . .    -   Good: https://cloud.iot/c2V4bWFzdGVyLTMwMDA        Devices publish resources: We give all devices the ability to        publish resources. These resources could be served from the        device itself when available (e.g.        coap://<ipv6-address>/a210Y2hlbi1rZXR0bGU), with users relying        on various caches when it is not. Alternatively, these resources        could be given a cloud address (e.g.        https://iot.arm.com/a210Y2hlbi1rZXR0bGU) for high availability.        Requires agreement with cloud, but easier for device (generated        only once, always served from cloud). Note that a resource has        only one URL—the above two URLs are not equivalent.        Verifiable Owner: The URL for each resource can contain a part        computed from the fingerprint of the certificate to guarantee        integrity even when served from untrusted sources.        Surrogate Resources: Customizing content and enabling privacy.        Say the client has a secret comprising three parts:

Scope: http://me.example.com/iot/geraint

Template: http://me.example.com/iot/{hmac}

Secret: site-secret

When accessing a resource in this scope, the client actually accesses adifferent URL to the one it is given.

1. HMAC(original-url, secret)

2. base64url(hmac)

3. Use inside template

Example: With the above secret, when accessing the resourcehttp://me.example.com/iot/geraint/temp:

1. HMAC (http://me.example.com/iot/geraint/temp, site-secret)

2. base64url: d2hhdGV2ZXI

3. Fill template: http://me.example.com/iot/d2hhdGV2ZXI

The server only sees http://me.example.com/iot/d2hhdGV2ZXI—nothing thathints to the conceptual structure of the site.The original URL MAY still resolve to a plain-text resource, to givesomething useful/informative to clients not using this scheme. But thisis not essential.Key nodes: Duplicating content is generally inefficient. The actual nodeat the calculated URL could be a “key node”, meaning that it containsthe URL of the actual content along with a decryption key—all encryptedusing the site secret used to calculate that URL.Privacy-enabled Mode: Private versions of resources and plain resourcesdo not mix. If you are viewing a private version of a resource(hopefully with some visual indication), then your clients should notfollow links or fetch related resources with their original URL. If thesurrogate resource 404s, then the request should fail. This means thatthe “original resource” for hidden resources doesn't need to actuallyexist, and shouldn't be requested, keeping the actual structure of theresources hidden from the server.Multiple secrets: Even using key nodes, it is a burden to calculate asurrogate node for every possible user, for every resource in your site.However, a user can be in possession of multiple site secrets, such as apersonal site secret and group site secret. This way, content that isavailable for every member of a group can use a single surrogate node,while other content can be encoded on a person-by-person basis.Obtaining More Secrets: In reality, you don't want to hand the groupsite secret out. Otherwise, when you change it (e.g. to exclude a groupmember) you need to re-distribute the new one to everyone. Instead, youonly hand out personal site secrets. To obtain more site secrets,clients can fetch the “scope” URL (using their personal site secret).The resulting document will be a list of site secrets to use forsubsequent browsing.Alternative: have separate “secret expansion” URL, instead of usingscopeWebsite sections: Not only can you provide additional site secrets forgroup content, you can provide secrets for only parts of a site. Forinstance, if all your JavaScript and CSS lives in /style/, then you canspecify a site secret specifically for that section. That way, clientsdo not waste effort first trying to access those resources usingpersonal and group site secrets.Action Queues: Instead of taking actions directly, resources can specifya queue to which actions can be posted. There can be more than one ofthese queues, listed in preferential order—e.g. first the direct one(usable by BlueTooth locally), next hosted by local WiFi router, then oncloud service. Resources describe the actions that can be taken usingtheir queues, optionally with an encryption key so that such the actualactions remain opaque to the cloud service.Authentication by Certificate Chain: When an action is submitted, theURL of a resource (certificate) can be supplied that explains why theagent believes it has permission to perform that action. Eachcertificate specifies a public key that can be used for a particularpurpose, and comprises:

Validity conditions (time/location/whatever)

Constraints (e.g. “Can turn on”)

Possibly reference to parent certificate

Understanding Certificates: The actual vocabulary of what actionsare/aren't allowed doesn't need to be universal—just understood by theend device. There may be some standard ones, though, e.g. Ownership—cando anything, Full use—can do anything except change owners

EXAMPLE

For the private key: <ABCDE>

Until: 2014-06-18T18:32

Allowed actions:

view recent history

issue new certificates like:

Allowed actions:

view recent history

This certificate could be used to let <ABCDE>view recent history.It could also be referenced by a new certificate (signed by <ABCDE>)authorizing another entity to view the recent history.Offline case (e.g. unlocking a door in the desert)If wider network access is not available, then the agent wishing toperform the action can make itself available as a mini-cloud/-proxy,therefore making the certificate chain available as well.Although illustrative embodiments have been described in detail hereinwith reference to the accompanying drawings, it is to be understood thatvarious changes and modifications can be effected therein by one skilledin the art without departing from the scope of the appended claims.

1. A method of accessing a remote resource from a data processingdevice, the method comprising: obtaining a first uniform resourcelocator (URL) corresponding to the remote resource; obtaining secretdata corresponding to the first URL; generating an obscured URL at thedata processing device using the secret data corresponding to the firstURL, wherein the obscured URL is for obtaining the actual location ofthe remote resource; and accessing the remote resource using theobscured URL.
 2. The method of claim 1, wherein the remote resourcecomprises encrypted data.
 3. The method of claim 1, wherein the firstURL is visible to the user of the data processing device.
 4. The methodof claim 1, wherein the first URL does not identify any actual locationof a remote resource.
 5. The method of claim 1, wherein the first URLidentifies a location of a different remote resource to the remoteresource accessed using the obscured URL.
 6. The method of claim 1,wherein the first URL cannot be obtained from the obscured URL using thesecret data.
 7. The method of claim 1, wherein the obscured URL isgenerated by performing a transformation of the first URL into theobscured URL using the secret data.
 8. The method of claim 7, whereinthe transformation is a one-way transformation.
 9. The method of claim1, wherein the obscured URL is generated based on the secret datacorresponding to the first URL.
 10. The method of claim 1, wherein atleast two data processing devices have different secret datacorresponding to the same first URL; wherein the at least two dataprocessing devices generate different obscured URLs using the differentsecret data, and access different remote resources corresponding to thesame first URL using the different obscured URLs.
 11. The method ofclaim 10, wherein the different remote resources comprise differentparts or subsets of a common remote resource.
 12. The method of claim 1,wherein the obscured URL identifies a location of a key node resourceand the key node resource comprises data for obtaining a resource URLidentifying the remote resource.
 13. The method of claim 12, wherein thedata at the key node resource comprises key information for decryptingdata at the remote resource, or wherein different key node resourcescorrespond to different users or groups of users, each key node resourceidentified by an obscured URL generated using secret data associatedwith the corresponding user or group of users.
 14. (canceled)
 15. Themethod of claim 13, comprising revoking access to the remote resource bya user or group of users by removing the key node resource correspondingto the user or group of users.
 16. The method of claim 13, comprisingrevoking access to the remote resource by at least one selected user ofa selected group of users by: (i) generating new group secret datacorresponding to the first URL for the selected group of users, andproviding access to the new group secret data to users of the selectedgroup other than the at least one selected user; (ii) creating a new keynode resource identified by a new obscured URL generated using the newgroup secret data, the new key node resource comprising data forobtaining the resource URL of the remote resource; and (iii) makinginaccessible the key node resource previously corresponding to theselected group of users.
 17. The method according to claim 1, whereinthe data processing device maintains the secret data together with anexpansion URL for obtaining at least one further secret datacorresponding to the first URL, where the at least one further secretdata is for generating at least one further obscured URL.
 18. The methodaccording to claim 17, wherein the data processing device attempts toaccess one or more locations identified by one or more of the obscuredURL and the at least one further obscured URL until an access to one ofthe one or more locations is successful.
 19. The method according to anypreceding claim 1, wherein the secret data is associated with conditionsfor determining whether access to the remote resource may be grantedusing the secret data. 20.-32. (canceled)
 33. A data processing devicecomprising: processing circuitry configured to perform data processing;and communication circuitry configured to access a remote resource;wherein the processing circuitry is configured to: (a) obtain a firstuniform resource locator (URL) corresponding to the remote resource andobtain secret data corresponding to the first URL; (b) generate anobscured URL using the secret data corresponding to the first URL,wherein the obscured URL is for obtaining the actual location of theremote resource; and (c) control the communication circuitry to accessthe remote resource using the obscured URL.
 34. (canceled)
 35. A methodof providing a data processing device with access to a remote resourcewhose actual location is identified by a resource uniform resourcelocator (URL), the method comprising: generating secret datacorresponding to a user of the data processing device; generating anobscured URL using the secret data corresponding to the user; storingdata for obtaining the resource URL to a location identified by theobscured URL; and providing the data processing device with (i) a firstURL for identifying the remote resource to the user and (ii) the secretdata for obtaining the obscured URL. 36.-41. (canceled)